security projects thoughts

Jeff Johnson n3npq at mac.com
Mon Apr 18 07:04:39 PDT 2011 

On Apr 18, 2011, at 9:40 AM, Arno Hautala wrote:

> On Mon, Apr 18, 2011 at 06:12, Bayard Bell
> <buffer.g.overflow at googlemail.com> wrote:
>> 
>> I've read back on the threads from March about binary packaging and
>> appreciate better what constraints were accepted to simplify deployment. The
>> signed Macports releases in distfiles that Anders pointed me to is signed
>> with GPG. Given that we're talking about developer tools rather than
>> packaging, is it reasonable to add this to the base requirements for
>> macports? Are people fine with the idea of using PGP with macports and
>> openssl with the packaging system?
> 
> I'm all for more GPG adoption, but it might be a good idea to be
> consistent and stick with OpenSSL.
> 

These are opinions only, without any supplied reason to prefer OpenPGP
over OpenSSL. DOes DSA from OpenSSL taste better to you somehow than
OpenPGP? Perhaps the random big numbers are "fresher" if wrapped in
OpenSSL than OpenPGP?

>> If you go the GPG route for macports, do you want individual developers
>> signing things with their own keys, or do you want to have a common
>> key, as do the major RPM and apt distros?
> 
> A common key either means every developer gets a copy. But, do you
> really want to issue a new key everytime a developer leaves or
> accidentally leaks the key?

Key management is a whole different issue. SInce noone in a possition
of "authority" in MacPorts has volunteered to issue anything, well,
there just ain't no keys to manage, are there?

> Or packages are signed by a central entity. This either puts a lot of
> pressure on a single developer or means robo-signing with a
> passphrase-less key or storing the passphrase on the server.
> 

There is no "central entity" unless you propose one and the proposal is adopted.

There is nothing wrong with robo-signing, its called a "non-repudiable" signature,
and one can devise a credible security framework based on robo-signing
or any other "central authority".

> None of those are all that attractive. Each developer having their own
> key, that has been signed by a MacPorts "master" key or cert
> authority, distributes the work load, is easily scalable, and easily
> revokable as needed. You can do this with OpenSSL or GPG.
> 

What is the basis for "attractive" or not?

You've invented a fictional security system based on delegated trust
from a "central authority" without an explicit proposal.

73 de Jeff

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4645 bytes
Desc: not available
URL: <http://lists.macosforge.org/pipermail/macports-dev/attachments/20110418/f69b6f3e/attachment.bin>

More information about the macports-dev mailing list